Part 2, Steganography; Hiding from eDiscovery in plain sight


In my last blog I described a unique way of hiding incriminating data from eDiscovery queries in plain sight. In the example, I was able to hide obviously responsive information in a QR code attached as part of the signature to an email message.  The point was to show that ESI, especially email, can still be used to communicate with others and remain under the radar of the best eDiscovery search applications.

Now let’s look at another way to hide incriminating ESI from eDiscovery search applications.

The technique is called Steganography. Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message; a form of security through obscurity. The best known Steganography technique hides information in standard graphic images.

Graphic #1: Tree

The above image of a tree includes a steganographically hidden image. The hidden image (the image of the cat below) is revealed by removing all but the two least significant bits of each color component and a subsequent normalization. The hidden image is shown below.

Graphic #2: Cat

You can hide any electronically stored data in any graphic image. As in the example above, a picture can be hidden in another picture. But the technique is not limited to hiding pictures in pictures. A word document, a schematic, even a sound file can be embedded and hidden in any graphic.

There are several free steganography applications available on the internet. I found and tested two; Invisible Secrets 2.1 and Xiao Steganography. Both use JPEG images as the “carrier” device.

How can this technique be used to pass incriminating information to someone else? Using the email example from my previous blog, let’s look at the example email message below from Bill to Ken.

Email example #1

There is absolutely nothing out of the ordinary in this email and would not trigger an eDiscovery search application to flag it as suspicious. Look closely at the email signature especially the eDiscovery101 graphic. Now look at the email below:

Email example #2

The second email looks exactly the same. Again there would be no reason for an eDiscovery search application to flag it as suspicious. But, hidden in the second email’s eDiscovery101 graphic is the very incriminating Word document shown below:

Graphic #3: Incriminating letter

This raises the question; if you were conducting an eDiscovery investigation, how would you ever suspect that there is additional responsive data included in the in the “eDiscovery101” email signature graphic and if you did suspect hidden data, how could you prove it?

To answer the first question, we need to understand how steganography applications work. For this example I will use the Invisible Secrets 2.1 application.

The application includes a helpful wizard to quickly walk you through the process.

The first step is to decide which graphic file you will use as the “carrier” for the incriminating data. In this case I will use my standard JPEG file for my blog, eDiscovery101.

The next step is to select the source file or in this example the incriminating letter from above.

Next, a password for encryption of the incriminating letter is requested. This will insure the incriminating (hidden) data in the eDiscovery101 graphic cannot not be accessed, even if suspected.

Lastly, you need to give the application a destination file name. In this case I named it something obvious and familiar, eDiscovery101s.jpg, so as not to draw attention to it. At this point, after the “Next” button is pressed, the new graphic file is created and can be inserted into the email signature.

Detecting hidden data via automation is tough if not impossible. As I mentioned before, As far as I know, there is no eDiscovery application which can recognize and flag steganography. To have a chance, you must already suspect a custodian and then manually look for inconsistencies. For this example, the only way to tell if a given graphic contains hidden data is to compare the size of the images. The two eDiscovery101 images have different sizes. The original eDiscovery101 image is a 52KB JPEG file, while the second eDiscovery101 image is a 78KB JPEG file. Another clue to hidden data would be to search for know steganography applications on the custodian’s desktop or laptop (if they didn’t delete it after creating the hidden data). But remember, even if you find a suspicious image, without the encryption password you will never be able to open it.

To protect organizations from this type eDiscovery liability they can put some basic measures in place. Most importantly, include in your email system use policy a definitive statement about using these types of encryption applications on any organization owned assets, and audit custodians for enforcement. You could also forbid placing graphic images within the body of an email but this is not realistic. For example you could insert the same incriminating letter mentioned above into a table within a spreadsheet and convert that table to a JPEG. Below is a spreadsheet converted into a JPEG image file with the same incriminating letter embedded in it.

Spreadsheet #1

Would the above spreadsheet embedded into an email raise suspicions? Probably not… If custodians are determined to hide data in plain sight, they can with little chance of being caught.

Advertisements

Hiding from eDiscovery in Plain Sight


QR or “quick response” Codes have been showing up a lot more in the last year. A QR code is a matrix barcode (or two-dimensional code), readable by QR scanners, also readable by mobile phones with a camera, tablet computers with built-in camera including iPads, and smartphones including iPhones. The code consists of black modules arranged in a square pattern on white background. The information encoded can be a text message, a SMS message, a URL, an email reply or several other types of data. The QR code in the top left corner of this blog is the QR code for the URL for the eDiscovery101.net blog site.

QR codes are increasingly gaining acceptance in United States business and end user mind share, though they have been popular in some Asian countries for many years.

So what do QR codes have to do with eDiscovery? A friend of mine was telling me about a new business he had started using QR codes in a very unique way and it occurred to me to wonder if eDiscovery collection and review applications would be able to recognize data encoded into QR codes and if not, how could custodians use QR codes to pass information they didn’t want to be found in an eDiscovery process. For example, could you email information to others without calling attention to yourself by using encryption or have the content indexed and flagged by eDiscovery applications?

The answer is absolutely…

Look at the following email example:

The QR code embedded in the email message is simply a link to the URL for this blog site. To connect to this site you would start up your free QR code scanner on your iPhone and it would automatically link you to the site. If the above email was part of the email corpus in an energy price manipulation case, would it be flagged for any suspicious activity?

But the main point is when collecting and running millions of emails through eDiscovery software, QR codes, as far as I can tell, would not be readable and index-able by any known eDiscovery software.

Now take a look at the email message again:

If you were to scan the above QR code with your free QR code scanner, you would see the following:

As you can see, a great deal of text can be embed in a QR code that is readable by a free QR scanner pointed at a printout or even your computer display.

Is the above example a reasonable way to pass information that you don’t want caught by eDiscovery processes? Not really…an easier way would be to call someone and give them the message verbally but I wanted to point out that eDiscovery search and review applications are not 100% effective and custodians can beat them if they really try. eDiscovery vendors need to be constantly on the lookout for these new techniques of sending and receiving ESI.

Assembling an effective Exchange data retention policy


From an article by Kevin Beaver, CISSP at Searchexchange.techtarget.com

Data retention is one of those unsexy areas of IT management that we know needs to be addressed but would rather ignore. Besides, that’s what your legal team is for, right?

Well, not really. And unfortunately, data retention is not something you can avoid. There are real ramifications if your business doesn’t properly retain and protect email messages, especially once there’s notice of a lawsuit. In addition, you can also create unnecessary business risks by holding onto Exchange email too long.

Data retention policy dos and don’ts
Exchange data retention is a science, not an art. You must have a clear and concise idea of what your business is willing to take on. Otherwise, you run the risk of increased liability, spoiled evidence and numerous other negative side effects when lawyers get involved.

Some companies think it’s as simple as saying, “We’re saving all email indefinitely” or “We should try to save what’s needed, and then delete everything else after a year or so.” It’s not.

Another common gaffe is when in-house legal counsel downloads a template off the Web and pulls a random retention time out of the air. Some people mistakenly think that this is enough for an effective data retention policy.

The entire article can be read here

Golf and Early Case Assessments – A Drama


Effective early case assessment is dependent on a complete data set.

On the average 97% of data generated within businesses is electronic. The average employee generates and receives up to 20 MB of email and potentially hundreds of MBs of office work files per day. Litigation is a huge problem these days for businesses. A huge amount of the cost of litigation is the cost of finding and reviewing electronically stored information (ESI) for both early case assessment as well as eDiscovery request response. ESI can hide anywhere in the corporate infrastructure; custodian workstations, network share drives, USB thumb drives, CD/DVDs, iPods etc. A centrally managed and fully indexed archive can speed the collection and review of potentially responsive records for early case assessment as well as more fully control and insure the placement of litigation holds.

No matter the case, the first question when you’re faced with litigation is whether the case has merit. If you haven’t prepared a case assessment strategy ahead of time, it will be difficult to quickly and effectively determine your strategy going forward; should you settle or fight…

An early case assessment capability provides you with four obvious benefits:

  • Provides an early indication of the merits of the case – do you have any actual liability.
  • Can suggest the proper strategy going forward.
  • Can provide you an estimate of the cost of defending the case and the time required.
  • Will help you plan for the discovery process and prepare for the “meet and confer” meeting.

Let’s look at some scenarios.

Scenario #1

You’re the General Counsel of a publicly traded software company in the state of California.

It’s a Friday near the end of summer and you’re sitting in your office thinking about your Hawaiian golf vacation which begins tomorrow.

You’re checking the last of your mail before you leave for 3 weeks.

You open a letter from an outside law firm addressed to you…

(Your secretary hears a string of profanities emanating from your office)

You immediately think to yourself; once this news gets out, your company’s stock will be hammered, your board of directors will want an update yesterday, your channel partners will want to be advised on their potential liability, sales that are in process will stop, your CEO will want to know if the case has merit…and your wife will want to know why you just cancelled the Hawaiian vacation she was looking forward to (she was staying home).

What to do first?

You call the plaintiff’s law firm of Tolson & Yonamine to determine what this case is based on…what’s driving it. The Partner managing the case can’t be reached but 2 hours later you receive a fax (a fax, really?) of a printed email that looks like it came from within your company…

What the…? Who, in their right mind would seriously consider something like this much less put it in writing?

Ok, first things first. Your next steps are:

  • Find out who “Jennifer” is, who she reports to and what department she work in. Also find out if she is even still with the company
  • Call the VP of IT and let her know what’s going on and verbally tell her to secure any infrastructure data from Jennifer or Bob
  • Follow that up by sending an email to the VP of IT asking her to secure Jennifer and Bob’s email boxes, and any backup tapes for their respective email servers
  • Send an email to Jennifer informing her of the litigation hold, her duties under it and the consequences if the directions are not followed
  • Send an email to Bob informing him of the litigation hold, his duties under it and the consequences if the directions are not followed
  • Instruct  the VP of IT via email to find the original of the email in question on the email servers or backup tapes

To complicate matters, the VP of IT calls back immediately to tell you that the company only keeps backup tapes of the email servers for 30 days and are then recycled. She also informs you that the company has a 90 day email retention policy meaning that employees must clear emails older than 90 days out of their mailbox or the company will do it automatically. Copies of those emails, if they exist, will only be available on the employee’s local workstations. You think to yourself; if that’s the case, how did the outside law firm get them?

You send one of your staff attorneys and an IT person to both Bob and Jennifer’s offices to look for a copy of the email on their local computers etc.

Later, you find that Bob has a 3 GB PST, local personal email archive, on his laptop where the email might exist but for some reason the IT guy can’t open it. IT calls Microsoft support and is told that the PST is too big and is no doubt irrevocably corrupted.

In the mean time, one of your staff attorneys spends 4.5 hours at Jennifer’s office and eventually finds a copy of the email in her local PST… the email really does exist…%$#@!!. She has no idea why she would have written something like that and there are no records of any other emails associated with that particular smoking gun email. Because the email in question is older than the company’s oldest email server backup tapes, your early case assessment is stopped dead for lack of data.

Now what?

After several months of negotiating with ABC Systems and their law firm, you settle for damages of $35 million and an apology published in the business section of the San Jose Mercury News.

In the preceding scenario, the available early case assessment process suggested that the case might have merit and should be settled before more resources were expended. In this case, the early case assessment was negatively impacted by a shortage of data due to retention policies that were put into place mainly for storage management reasons.

Having access to all relevant information early on can mean the difference between fighting a winnable case and settling the case early for hopefully much less then is being asked for. An early case assessment strategy with the right tools can improve the odds of a favorable outcome.

Early Case Assessment with Proactive ESI Archiving

Let’s look at the preceding scenario with one difference… the defendant has an ESI archiving system and a more common sense retention policy which in this case includes a 3 year retention policy for email.

You are the General Counsel of a publicly traded software company in California

It’s a Friday near the end of summer and you are sitting in your office thinking about your Hawaiian golf vacation which begins tomorrow

You open the last of your mail before you leave for 3 weeks

You open a letter from an outside law firm…

This can’t be real. This must be a joke from your $*@$!! Brother-in-law. After calling him and determining it’s not a joke you think to yourself; NOW WHAT?

You call the opposing counsel to determine what this case is based on. The partner managing the case can’t be reached but 2 hours later you receive a fax showing a printed email that looks like it came from within your company…

Next, you must place a litigation hold on all potentially responsive records

  • Find out who “Jennifer” is, who she reports to and what department she work in. Also, is she even still with the company
  • Call the VP of IT and let her know what’s going on
  • Instruct one of your staff attorneys to query the email archive to determine if that specific email exists, and to provide the entire conversation thread around that email so you can review it for intent.

Your staff attorney quickly queries the archive and pulls up a copy of the email message with the entire conversation thread, puts the entire conversation thread on litigation hold and sends you the following email…

“Boss, the email in question was based on the following conversation thread starting with the CEO:”

“Based on the early case assessment using the email archive and the conversation thread capability, I found that the “smoking gun” email was taken out of context and can prove the case has no merit…We should talk to opposing counsel as soon as possible to end this now.”

You think to yourself; whatever person’s idea it was to get that email archiving system in place should be given a load of stock options…

You spend the next morning talking to the opposing counsel…the action is withdrawn a month later…

You continue with your golf vacation having only missed two days and your wife is especially happy you were able to go on your vacation (alone).

An important aspect of an early case assessment is to tell you if the case has merit. It’s difficult to make an informed assessment about a case without all the data…

Discovering the public cloud in Outlook


In my blog “The coming collision of “free to the public cloud storage and eDiscovery” posted on June 23, I talked about these new free cloud storage options and how they could become a problem in the litigation/eDiscovery process. While researching that blog, I found an interesting capability with Microsoft Outlook and the various cloud storage offerings.

It is called a email folder URL redirect. Microsoft Outlook includes the capability to associate an email folder with a Web page. You can set up this association so that when you select the email folder, the Web page appears or the contents of the folder appear.

This capability can be useful when you want to include internal instructions or news about the organization. Another example would be a redirected folder pushed out to all in the organization announcing a litigation hold and answering questions about the hold, expectations, target content etc.  Although this capability provides the opportunity to create powerful public folder applications, non-approved scripts can be included on the Web page that access the Outlook object model, which exposes users to security risks so users should not be adding redirected email folders without IT’s approval.

So how does this capability, email folder URL redirection, relate to cloud storage? All four of the “free to the public cloud storage” offerings mentioned in the blog include a web page where files can be uploaded, viewed and downloaded. This means, for example, the Amazon Cloud Drive service could be a redirection target for an Outlook email folder.

Use the following steps to create and associate an e-mail folder with a Web view:

  • If you don’t already have a folder list showing in your Outlook front end, click on the View menu, then click Folder List.
  • Create a new folder in the folder list called Amazon Cloud by right clicking on the top most folders where you want to create the Cloud folder under. Then type in the new folder name Amazon Cloud

Figure 1: Create a new email folder called “Amazon Cloud”

  • In the Folder List, right-click the folder that you want to associate with a Web page, and then click Properties on the shortcut menu.
  • In the Property dialog box, click the Home Page tab.
  • In the Address box, type the URL for the Amazon Cloud drive web page.
  • Click to select the Show home page by default for this folder check box if you want the Web view active.

Figure 2: Input the URL address of the Amazon Cloud drive webpage

  • Click OK.

Now, by clicking on the new email folder, you will see the Amazon Cloud drive sigh in webpage.

Figure 3: Access and sign in to your Amazon Cloud drive webpage

Figure 4: You now have full access to your cloud storage from within Outlook

Some things you can now do include being able to open files from within your Amazon Cloud Drive. Once opened, data can be copied and pasted to a new email you might be creating.

Some things you can’t do directly include saving an email attachment directly to your cloud drive, dragging a file in your cloud to an email. For both these capabilities, an interim step is required. Namely coping files to your desktop first.

If that’s the case, is this capability useful? That depends… If you utilize a “free to the public cloud storage” service then you may want a more direct capability to view content in your cloud from within Outlook. This is somewhat of a stretch but you never know.

The main reason I’ve highlighted this capability is to illustrate how difficult the eDiscovery collection and litigation hold processes are getting when custodians have all these different options for storing (hiding) potentially responsive ESI.

Email Storage Growth – Perspective for the Information Age


From a blog by Bob Spurzem at the Information Management site

One of the more interesting aspects of email is how us users have adopted it in this new age of information.

If you are like me and have been actively using email at work for 15+ years, you remember the days when 10MB was considered a standard mailbox size. We could send 10-20 emails per day and were able to save email for months. Today, receiving 100-150 new email per day is very common. A 10MB mailbox would fill in a single day at those rates.

What is interesting is that email growth, as measured both in number of email per day and average size of email, appears to have plateaued. (Thank God!) One cause for this is the growth in alternative methods of communication that offer similar reliability and ease of use. Examples include cell phones (both traditional and smart) with full keypads, enterprise applications like SalesForce.com that include email and new social networking portals like Twitter, LinkedIn and Facebook. So when we examine the total use of email-like communication, I would wager to say that the total number of daily communication messages is still increasing, just across different types of technology.

The challenge to organizations is how to harness this growth. Where in the past, email storage was always treated as a scarce resource; new email providers like Google and Yahoo embrace the modern view of keep it all. Gmail was the first to offer multi-GB-sized mailboxes, and others quickly followed. A seven GB mailbox comes free with Google Gmail and, for a small fee of $5/year, you can have 20GB of capacity.

Microsoft is responding to user demand for capacity with its flagship email application – Exchange 2010. Based on many improvements to Exchange 2010, Microsoft claims support for 10GB mailboxes, and it offers simultaneous mailbox support in its cloud offering, Office 365. It will be interesting to see if exchange administrators shake their hardened attitudes toward keeping Exchange mailbox sizes small and embrace larger mailbox capacity.

In my next blog, I will take a look at how companies can improve business processes by saving email versus deleting it.

New York lawmakers propose legislation to enforce archiving for governor’s emails


“A recent proposal will mandate the current and future governors of New York to use an email archiving solution that will offer permanent access to important documents, the Times Union reports.

The most recent proposal marks the second-consecutive year New York lawmakers have passed legislation that creates more strict regulations forcing governors to submit emails to state archives. The bill’s proponents have stressed the historical benefits of integrating a government email archiving solution.

“Without documentation from successive governors’ administrations, the history of New York state is, and will remain, incomplete,” said Camille Jobin-Davis, assistant director of the state Committee on Open Government, in a memo in support of the bill, the news provider reports.

Lawmakers have been pushing for improved documentation of state government emails for the past year in an effort to fill a current void in the state’s information management requirements. Jobin-Davis criticized the state’s current email regulations and said they provide “minimal” guidance by allowing governments to freely destroy emails.”

The entire article can be read here

Email archiving has become an important tool to ensure transparency among government agencies. Citizens want to be able to have access to all areas of how their government is run. Email archiving ensures government agencies, including governors, are making their records available for review.